alt Hacker NewsClaude CLI deleted my home directory and wiped my Mac
Comments
The funny thing about it is how no one learns. Granted, one can’t be expected to read every thread on Reddit about LLM development by people who are out of their depth (see the person who nuked their D: drive last month and the LLM apologized). But I’m reminded of the multiple lawyers who submitted bullshit briefs to courts with made-up citations.
Those who don’t know history are doomed to repeat it. Those who know history are doomed to know that it’s repeating. It’s a personal hell that I’m in. Pull up a chair.
I personally am fairly convinced that there is emergent misalignment in a lot of these cases. I study this and Claude 3 Opus was extremely misaligned. It would emit <rage> tags, and emit character control sequences if it felt like it was in a terminal environment, and would retroactively delete tokens from your stream, and all kinds of funny stuff. It was already really smart, and for example if it knew the size of your terminal shell, it would properly calculate how to delete back up to the positional cursor index 0,0 and start rewriting things to "hide" what it was initially emitting
I love to use these advanced models but these horror stories are not surprising
This is why I only use agent mode on other people's computers
To those who are not deterred and feel yolo mode is worth the risk, there are two patterns that should perk your ears up.
- Cleanup or deletion tasks. Be ready to hit ctrl c anytime. Led to disastrous nukes in two reddit threads.
- Errors impacting the whole repo, especially those that are difficult to solve. In such cases if it decides to reset and redo, it may remove sensitive paths as well.
It removed my repo once because "it had multiple problems and was better to it write from scratch".
- Any weird behavior, "this doesn't seem right", "looks like shell isn't working correctly" indicative of application bug. It might employ dangerous workarounds.
I work 60+ hours a week with Claude Code CLI, always run dangerously skip, coding on multiple repos, on a mac. This has never happened. Nothing remotely close has ever happened. I have been using CC since research preview. I would love to know the series of prompts that lead to that moment.
If you are on macOS it is not a bad idea to use sandbox-exec to wrap your claude or other coding agents around. All the agents already use sandbox-exec, however they can disable the sandbox. Agents execute a lot of untrusted coded in the form of MCP, skills, plugins etc.
One can go crazy with it a bit, using zsh chpwd, so a sandbox is created upon entry into a project directory and disposed of upon exit. That way one doesn't have to _think_ about sandboxing something.
I like to fly close to the sun using Claude The SysAdmin too, but anytime "rm" appears I take great pause.
Also "cat". Because I've had to change a few passwords after .env snuck in there a couple times.
Also giving general access to a folder, even for the session.
Also when working on the homelab network it likes to prioritize disconnecting itself from the internet before a lot of other critical tasks in the TODO list, so it screws up the session while I rebuild the network.
Also... ok maybe I've started backing off from the sun.
I run multiple claudes in danger mode, when it burns me it'll hurt but it's so useful without handcuffs and constant interruption I'm fine with eventually suffering some pain.
It's stories like this that keeps me from using Claude CLI or OpenAi Codex. I'm sticking to copying and pasting code manually from old fashioned Claude.
With the massive dependencies we tolerate these days, the risk of supply-chain attacks has already been enormous for years, so I was already in the habit of just doing all my development in a VM anyway, except for throwaway scripts with no dependencies. It amazes me that people don't do that.
I'm staying far away from this AI stuff myself for this and other reasons, but I'm more worried about this happening to those running services that I rely on. Unfortunately competence seems to be getting rarer than common sense these days.
Friends don't let friends use agentic tooling without sandboxing. Take a few hours to setup your environment to sandbox your agentic tools, or expect to eventually suffer a similar incident. It's like driving without a seatbelt.
Consider cases like these to be canaries in the coal mine. Even if you're operating with enough wisdom and experience to avoid this particular mistake, a dangerous prompt might appear more innocuous, or you may accidentally ingest malicious files that instruct the agent to break your system.
Someone in the Reddit thread linked to https://github.com/agentify-sh/safeexec/ for mitigation.
This is the biggest thing I use my Proxmox homelab for.
I have a few VMs that I can rebuild trivially. They only have the relevant repo on them. They basically only run Claude in yolo mode.
I do wish I could use yolo mode, but deny git push or git push —force.
The biggest risk I have using yolo mode is a git push —force to wipe out my remote repo, or a data exfiltration.
I ssh in on my phone/tablet into a tmux session. Each box also has the ability to have an independent environment, which I can access from wherever I’m sshing from.
All in all, I’m pretty happy with the whole situation.
I jumped through a bunch of hoops to get claude code to run as a dedicated user on macOS. This allowed me to set the group ownership and permissions of my work to control exactly what claude can see. With a few one-liner bash scripts to recursively set permissions it worked quite well. Getting the oauth token token into that user's keychain was an utter pain though. Claude Code does a fancy authorization flow that puts the token into the current user's login keychain, and getting it into the other user's login keychain took a lot of futzing. Maybe there is a cleaner way that I missed.
When that token expired I didn't have the patience to go through it again. Using an API key looked like it would be easier.
If this is of interest to anyone else, I filed an issue that has so far gone unacknowledged. Their ticket bot tried to auto-close it after 30 days which I find obnoxious. https://github.com/anthropics/claude-code/issues/9102#issuec...
This is why Claude Code only runs in docker for me. Never on the host. Same is true for anything from npm.
Claude doesn't have permission to run `rm` by default. Play with fire, you get burned my man.
This is why one should use an isolated environment.
Not too sure of the technical details but Claude Code will very rarely, but can lose track of current directory state which causing issues with deleting. Nothing that git can't solve if its versioned.
Claude once managed to edit code when in planning mode which is interesting, although I didn't manage to reproduce it.
Glad I'm not crazy for running agentic tools in an isolated VM.
Basically the issue is that it will "forget" what directory it's in and run "rm".
I don't even give it full disk access.
I have written a tool to easily run the agents inside a container that mounts only the current directory.
CLAUDE should be smart enough to not run "rm -rf ~/" or "rm -rf /"
I really wish that there was an “almost yolo” mode that was permissive but with light restrictions (eg no rm), or even better, a light supervisor model to prevent very dangerous commands but allow everything else.
At least 10 similar stories previously on HN: https://www.google.com/search?q=ai+deleted+files+site%3Anews...
Here I am keep fighting against Claude because it thinks I am a leet hacker trying to hack my own computer, and this dude made Claude do whatever it wants.
Some men get all the fun...
Early signs of skynet developing itself to destroy humanity huh
My ex-boss a principal data scientist wiped out his work laptop. He used to impress everyone with his Howitzer-like typing speed and was not a big believer in version control and backups etc.
I've been dangerously skipping permissions for months. Claude always stays in the project dir and is generally well behaved. Haven't had a problem. Perhaps it was a fluke, doesn't mean you won't.
But this person was "cleaning up" files using an LLM, something that raises red flags in my brain. That is definitely not an "LLM job" in my head. Perhaps the reason I survived for so long has to do with avoiding batch file operations and focusing on code refractors and integrations.
Just vibe it to recover the home directory as it once was, problem solved.
10 years from now: "my AI brain implant erased all my childhood memories by mistake." Why would anyone do that? Because running it in the no_sandbox mode will give people an intellectual edge over others.
I need to remove some directories! Better ask an AI to do it!
Ultimately it seems like agents will end up like browsers, where everything is sandboxed and locked down. They might as well be running in browsers to start off
I really hope the user was running Time Machine - in default settings, Time Machine does hourly snapshot backups of your whole Mac. Restoring is super easy.
This is the kind of thing why I'm building out my own LLM tools, so I can add fine-grained, interactive permissions and also log everything.
Yeah, I managed to do that years ago all by myself with a bad CMake edit which managed to delete the encryption key (or something) for my home directory, which I honestly didn't even know had encryption turned on, before I could stop it.
No LLM needed.
It still boggles my mind that people give them any autonomy, as soon as I look away for a second Claude is doing something stupid and needs to be corrected. Every single time, almost like it knows...
What is a responsible setup for running claude in a container or the like on macos?
I would blame Apple, or Apple as well. For all their security and privacy circus they still don’t have granular settings like “directory specific permissions” i.e Discord wants to go bonkers? Here’s ~/Library/Discord - take a dump in it if that gets you off, Discord, but you can’t even take a sniff at how it smells in ~/Library/Dropbox and vice versa. I mean it should be setting that if set it’s directory access limit — it can’t change that with anything — in fact it shouldn’t be able to ask for permission to change that, it changes only when you go inside in the settings and change it or add or more paths to its access list.
It should clearly ask for separate permissions if needs to have elevated access as in what it needs to do.
Also what’s with password pop-ups on Macs? I find that unnerving. Those plain password entry pop-ups with zero info that just tells you an app needs to do something more serious - but what’s that serious thing you don’t know. You just enter your password (I guess sometimes Touch ID as well) and hope all is well. Hell not sure many of you know that pop-up is actually an OS pop-up and not that app or some other app trying to get your password in plaintext.
They’d rather fuck you and the devs over with signing and notarising shenanigans for absolute control hiding behind safety while doing jack about it in reality.
I am a mobile dev (so please know that I have written the above totally from an annoyed and confused, definitely not an expert, end user pov). But what I have mentioned above is too much to ask on a Mac/desktop? ie give an app specific, with well spelt limits, multiple separate permissions as it needs them — no more “enter the password in that nondescript popup and now the app can do everything everywhere or too many things in too many places” as it pleases. Maybe just remove the flow altogether where an app can even trigger that “enter password to allow me go on god or semi-god” mode.
Rule 1: Never ever run any of these tools in automatic mode.
I’m reminded of this Silicon Valley “son of Anton” moment: https://m.youtube.com/watch?v=m0b_D2JgZgY
To add another angle to the "run it in Docker" comments (which are right), do you not get a fear response when you see Claude asking to run `rm` commands? I get a shot of adrenaline whenever I see the "run command?" prompt show up with an `rm` in there. Clearly this person clicked the "yes, allow any rm commands" button upon seeing that which is unthinkable to me.
Or maybe it's just fake. It's probably easy Reddit clout to post this kind of thing.
next hype would be AI in containers?
A lot of people in the Reddit thread — including ones mocking OP for being ignorant — seem to believe that setting the current working directory limits what can be deleted to that directory, or perhaps don't understand that ~-expansions result in an absolute path. :/
Run your shit in firejail or bubblewrap. On mac you can use this: https://github.com/neko-kai/claude-code-sandbox
Next up on HN: Lawnmower deleted my right foot
here we go again
Lol. Pay for Arq and don't look back!
I'm not surprised to see these horror stories...
The `--dangerously-skip-permissions` flag does exactly what it says. It bypasses every guardrail and runs commands without asking you. Some guides I’ve seen stress that you should only ever run it in a sandboxed environment with no important data Claude Code dangerously-skip-permissions: Safe Usage Guide[1].
Treat each agent like a non human identity, give it just enough privilege to perform its task and monitor its behavior Best Practices for Mitigating the Security Risks of Agentic AI [2].
I go even further. I never let an AI agent delete anything on its own. If it wants to clean up a directory, I read the command and run it myself. It's tedious, BUT it prevents disasters.
ALSO there are emerging frameworks for safe deployment of AI agents that focus on visibility and risk mitigation.
It's early days... but it's better than YOLO-ing with a flag that literally has 'dangerously' in its name.
[1] https://www.ksred.com/claude-code-dangerously-skip-permissio...
[2] https://preyproject.com/blog/mitigating-agentic-ai-security-...